Simon Kelley
6a0b00f0d6
Misc code cleanups arising from Google analysis.
...
No security impleications or CVEs.
2017-09-25 20:19:55 +01:00
Simon Kelley
0549c73b7e
Security fix, CVE-2017-14491 DNS heap buffer overflow.
...
Fix heap overflow in DNS code. This is a potentially serious
security hole. It allows an attacker who can make DNS
requests to dnsmasq, and who controls the contents of
a domain, which is thereby queried, to overflow
(by 2 bytes) a heap buffer and either crash, or
even take control of, dnsmasq.
2017-09-25 18:17:11 +01:00
Simon Kelley
63437ffbb5
Fix CVE-2017-13704, which resulted in a crash on a large DNS query.
...
A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size,
if different.) is enough to cause SIGSEGV.
2017-09-06 22:34:21 +01:00
Simon Kelley
50ca85504c
Bump year in copyrights.
2017-06-24 22:43:18 +01:00
Vladislav Grishenko
5a7212c70e
Make --rev-server work in the presence of --bogus-priv.
2017-04-24 22:21:04 +01:00
Simon Kelley
fca008d8d4
Make --bogus-priv apply to IPv6.
2017-02-19 18:50:41 +00:00
klemens
43517fcaf5
Spelling fixes.
2017-02-19 15:53:37 +00:00
Josh Soref
730c6745f0
Comprehensive spelling/typo fixes.
...
Thanks to Josh Soref for generating these fixes.
2017-02-06 16:14:04 +00:00
Simon Kelley
d42d4706bb
Make --localise-queries apply to names from --interface-name.
2017-02-02 16:52:06 +00:00
Kevin Darbyshire-Bryant
7ac9ae1125
Compile time option NO_ID
...
Some consider it good practice to obscure software version numbers to
clients. Compiling with -DNO_ID removes the *.bind info structure.
This includes: version, author, copyright, cachesize, cache insertions,
evictions, misses & hits, auth & servers.
2016-09-09 20:52:08 +01:00
Simon Kelley
fa78573778
Zero packet buffers before building output, to reduce risk of information leakage.
2016-07-22 20:56:01 +01:00
Simon Kelley
c7f3bd2ac8
Replace incoming EDNS0_OPTION_NOMDEVICEID and EDNS0_OPTION_NOMCPEID options.
2016-02-28 21:48:34 +00:00
Simon Kelley
7480aeffc8
Apply ceiling of lease length to TTL when --dhcp-ttl in use.
2016-02-26 21:58:20 +00:00
Simon Kelley
832e47beab
Add --dhcp-ttl option.
2016-02-24 21:24:45 +00:00
Simon Kelley
df3d54f776
Add TTL parameter to --host-record and --cname.
2016-02-24 21:03:38 +00:00
Simon Kelley
d05dd58de1
Fix wrong reply to simple name when --domain-needed set and no servers configured.
...
Also return REFUSED and not SERVFAIL when out of memory.
Thanks to Allain Legacy for problem report.
2016-01-19 21:23:30 +00:00
Simon Kelley
c49778df4a
Update copyright notices. Happy new year!
2016-01-06 18:52:33 +00:00
Simon Kelley
1d03016bbc
Split EDNS0 stuff into its own source file.
2015-12-21 14:17:06 +00:00
Simon Kelley
fa14bec83b
Major tidy up of EDNS0 handling and computation/use of udp packet size.
2015-12-20 17:12:16 +00:00
Simon Kelley
dd4ad9ac7e
Tweaks to EDNS0 handling in DNS replies.
2015-12-17 10:44:58 +00:00
Simon Kelley
93be5b1e02
Abandon caching RRSIGs and returning them from cache.
...
The list of exceptions to being able to locally answer
cached data for validated records when DNSSEC data is requested
was getting too long, so don't ever do that. This means
that the cache no longer has to hold RRSIGS and allows
us to lose lots of code. Note that cached validated
answers are still returned as long as do=0
2015-12-15 12:04:40 +00:00
Simon Kelley
90477fb794
Update list of subnet for --bogus-priv
...
RFC6303 specifies & recommends following zones not be forwarded
to globally facing servers.
+------------------------------+-----------------------+
| Zone | Description |
+------------------------------+-----------------------+
| 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK |
| 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK |
| 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL |
| 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 |
| 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 |
| 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 |
| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST |
+------------------------------+-----------------------+
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk >
2015-10-20 21:21:32 +01:00
Ed Bardsley
a7369bef8a
Enhance --add-subnet to allow arbitary subnet addresses.
2015-08-05 21:17:18 +01:00
Simon Kelley
d2aa7dfbb6
Include 0.0.0.0/8 in DNS rebind checks.
2015-08-03 21:52:12 +01:00
Simon Kelley
06568c6636
Remove support for DNS Extended Label Types.
...
The support was only partial, and the whole concept is
now deprecated in the standards.
2015-05-15 20:43:48 +01:00
Simon Kelley
5d07d77e75
Fix buffer overflow introduced in 2.73rc6.
...
Fix off-by-one in code which checks for over-long domain names
in received DNS packets. This enables buffer overflow attacks
which can certainly crash dnsmasq and may allow for arbitrary
code execution. The problem was introduced in commit b8f16556d
2015-05-15 18:13:06 +01:00
Simon Kelley
b059c96dc6
Check IPv4-mapped IPv6 addresses with --stop-rebind.
2015-05-08 20:25:51 +01:00
Simon Kelley
a77cec8d58
Handle UDP packet loss when fragmentation of large packets is broken.
2015-05-08 16:25:38 +01:00
Simon Kelley
2ed162ac20
Don't remove RRSIG RR from answers to ANY queries when the do bit is not set.
2015-04-28 21:26:35 +01:00
Simon Kelley
b8f16556d3
Tweaks to previous, DNS label charset commit.
2015-04-22 21:14:31 +01:00
Simon Kelley
cbe379ad6b
Handle domain names with '.' or /000 within labels.
...
Only in DNSSEC mode, where we might need to validate or store
such names. In none-DNSSEC mode, simply don't cache these, as before.
2015-04-21 22:57:06 +01:00
Simon Kelley
ad4a8ff7d9
Fix crash on receipt of certain malformed DNS requests.
2015-04-09 21:48:00 +01:00
Simon Kelley
394ff492da
Allow control characters in names in the cache, handle when logging.
2015-03-29 22:17:14 +01:00
Simon Kelley
1e153945de
DNSSEC fix for non-ascii characters in labels.
2015-03-28 21:34:07 +00:00
Simon Kelley
aff3396280
Update copyrights for dawn of 2015.
2015-01-31 20:13:40 +00:00
Simon Kelley
ae4624bf46
Logs for DS records consistent.
2015-01-12 23:22:08 +00:00
Glen Huang
32fc6dbe03
Add --ignore-address option.
2014-12-27 15:28:12 +00:00
Simon Kelley
476693678e
Eliminate IPv6 privacy addresses from --interface-name answers.
2014-12-17 12:41:56 +00:00
Simon Kelley
288df49c96
Fix bug when resulted in NXDOMAIN answers instead of NODATA.
...
check_for_local_domain() was broken due to new code matching F_*
bits in cache entries for DNSSEC. Because F_DNSKEY | F_DS is
used to match RRSIG entries, cache_find_by_name() insists on an exact match
of those bits. So adding F_DS to the bits that check_for_local_domain()
sends to cache_find_by_name() won't result in DS records as well
as the others, it results in only DS records. Add a new bit, F_NSIGMATCH
which suitably changes the behaviour of cache_find_by_name().
2014-09-18 21:55:27 +01:00
Simon Kelley
b7639d5815
Fix ipsets logging patch.
2014-03-29 09:20:07 +00:00
Wang Jian
49752b90d5
Log IPSET actions.
2014-03-28 20:52:47 +00:00
Simon Kelley
fec216df32
Cache stats availble in CHAOS .bind domain.
2014-03-27 20:54:34 +00:00
Andy
3e21a1a6fa
Tidy uid defines.
2014-03-22 19:10:07 +00:00
Simon Kelley
03431d6373
Initialise uid when creating CNAME cache record.
2014-03-20 16:25:43 +00:00
Simon Kelley
3f7483e816
Handle integer overflow in uid counter. Fixes rare crashes in cache code.
2014-03-16 22:56:58 +00:00
Simon Kelley
29fe922b14
Can have local DS records (trust anchors).
2014-03-01 22:53:57 +00:00
Simon Kelley
d1fbb77e0f
Don't cache secure replies which we've messsed with.
2014-03-01 20:08:58 +00:00
Simon Kelley
1fbe4d2f5f
Tweak tuning params.
2014-03-01 20:03:47 +00:00
Simon Kelley
00a5b5d477
Check that unsigned replies come from unsigned zones if --dnssec-check-unsigned set.
2014-02-28 18:10:55 +00:00
Simon Kelley
b8eac19177
Negative caching for DS records.
2014-02-27 14:30:03 +00:00
